Layer 7 Visibility and ControlFEBRUARY 2013
This document highlights the foundation of Merakis self-learning layer 7 traffic analytics engine and the rich visibility and intuitive management that it facilitates.
2013 Cisco Systems, Inc. All rights reserved
Meraki is a registered trademark of Cisco Systems, Inc.
Table of Contents 1 Introduction 3 2 Meraki Traffic Shaping Technology 5
3 Management & Control 8
4 Comparison with typical solutions 10
5 Conclusion 11
Meraki, Inc. | 660 Alabama St, San Francisco, CA 94110 | (415) 432-1000 | email@example.com
1 Introduction The Value of Application Visibility
An increasing reliance on Internet access for corporate productivity has created an expectation of high performance and ubiquitous connectivity in the enterprise. In parallel, bring your own device (BYOD) and cloud computing trends have led to a rapid proliferation in the number of devices and applications used in enterprise networks. These factors can strain traditional networks and create issues such as bottlenecks in network performance. It is often considered important to deliver high performance and application optimization within the context of constrained costs, finite bandwidth capacity, and an expectation to deliver a minimum quality of service (QoS) for critical applications. Meeting these requirements can be challenging for budget and time-constrained IT departments.
Two factors are critical for addressing these challenges: clear, concise insight into network performance, and an ability to enforce network policies that optimize the networks performance. Network admins must be armed with complete knowledge of network utilization, not only in terms of bandwidth, but also across all layers, even to the application level. Understanding the devices and users accessing specific applications, and the amount of time spent and traffic flowing on each, can provide valuable context to understand user behavior and prompt the design of effective network policies. Finally, a built-in toolset that allows for the creation and application of flexible policy sets can ensure that application information can be acted upon by the IT admin to help deliver optimal network performance.
An emerging use of application visibility is to leverage this data to enhance customer engagement via interactive campaigns and targeted experiences. Understanding the flow of applications, users, and time spent can help the marketing department of a retail outlet or hotspot provider answer the age-old question: What are my users doing? This level of visibility and the actionable data it provides is yet another reason to require application-layer visibility in networking infrastructure.
Meraki, Inc. | 660 Alabama St, San Francisco, CA 94110 | (415) 432-1000 | firstname.lastname@example.org
Merakis unique traffic analytics engine provides visibility across all layers of the network stack, ranging from the port and protocol layer up to the application layer (e.g., Facebook and YouTube). In addition, Merakis latest enhancements (released in 2013) include deep statistical analysis of parameters such as time spent per user and per application on a flow-by-flow basis; this provides valuable context on user behavior instead of an aggregate dump of all applications accessed on the network. Finally, Merakis ability to create Layer 7 application firewall and traffic rules and apply these on a per-group basis provides the network admin with a rich toolbox for customization and optimization of their network based on the analytics data presented. Layer 7 traffic analysis is available across Merakis wireless (MR), switching (MS) and security (MX) product lines, and traffic shaping is available on Merakis MR and MX product lines. This paper takes a closer look at this innovative functionality.
Traffic analysis and shaping engine
The Value of Application Visibility (cont.)
Meraki, Inc. | 660 Alabama St, San Francisco, CA 94110 | (415) 432-1000 | email@example.com
2 Meraki Traffic Shaping Technology Deep Packet Inspection and Traffic Signatures
To provide rich traffic analysis capabilities, Meraki wireless, switching, and security products perform deep-packet inspection (DPI) of traffic on the network on a flow-by-flow basis. This analysis is then uploaded in real-time to the Meraki cloud for statistical aggregation from all edge endpoints. Detailed information is made available to a network admin on their Meraki dashboard through customizable network and time formats. Merakis capabilities include an analysis of various elements, such as IP addresses, host names, and port ranges, which is combined with a behavioral analysis of each traffic flow. This facilitates a deeper categorization of traffic beyond just port or IP-based classification; examples include peer-2-peer (P2P) file-sharing and social gaming sites that are constantly adding servers and cannot therefore be tracked simply by using IP addresses.
The inspection of thousands of traffic patterns over several years led Meraki to create a database of traffic signatures that can be used to recognize network traffic at the application level. An especially challenging task is the recognition of peer-to-peer traffic, which has traditionally been very difficult to pin down due to the constantly changing IP addresses and port ranges; via careful analysis of torrent traffic streams, Meraki created a heuristic signature that recognizes short TCP sessions across a fleeting range of IP addresses, allowing for the classification of P2P traffic. Similar heuristics are applied in the absence of any specific identifying information for a range of applications; these heuristics comprise a library of Merakis traffic signatures, and are maintained in Merakis cloud, allowing for rapid updates based on the discovery and analysis of new traffic patterns. In addition, the ability for the network admin to create custom signatures using host names, IP address ranges, and ports allows for tracking traffic to specific destinations. For example, an admin can create signatures to track activity such as employee access to a local web or email server.
Screenshot of Meraki dashboard showing
breakdown of web traffic
New applications, protocols and traffic patterns are continuously emerging. While providing an overarching traffic signature can be a compelling way to reduce complexity, admins often desire deeper granularity and a more detailed breakdown of which IP addresses or host names were being accessed for traffic signatures such as miscellaneous web.
The need to provide deeper visibility into traffic led to the development of a new classification scheme that allows for the dynamic creation of signatures based on host names and IP addresses. Examples include a signature for mail.company.com to provide visibility into unique traffic flows and a granular host name and IP address breakdown of a category such as Dropbox to allow deeper inspection of the specific IP addresses and host names contributing to this application. This breakdown is especially useful for broad categories such as Non-web TCP, and provides a detailed breakdown of all of the websites that were visited within this category. This new learning engine allows for the dynamic creation of traffic signatures based on traffic patterns, and provides deeper visibility to admins seeking to understand what their users are doing.
Meraki, Inc. | 660 Alabama St, San Francisco, CA 94110 | (415) 432-1000 | firstname.lastname@example.org
Deep Packet Inspection at Line Rate
Leveraging powerful hardware components that were selected with rich capabilities such as traffic analysis in mind, Meraki products perform traffic analysis inspection and classification at line rate, ensuring no drop in performance when used in conjunction with the numerous other features available. For example, Merakis MX security appliance can run traffic shaping in conjunction with Auto VPN to dozens of other sites in a mesh VPN topology, all at line rate whilst passing hundreds of megabits of traffic. A careful selection and design of silicon components was required to tightly integrate hardware and software for optimized performance.
Highly optimized hardware
and software integration
allows for line-rate
Integrated Cloud Management
Merakis hardware products and cloud maintain a tight feedback loop through a highly compressed 1 kbps management tunnel, which includes traffic analytics and configuration information such as network settings. In addition to traffic signatures being pushed from the cloud to the edge and traffic flows data being pushed back to the cloud, additional context information is sent on a per-flow basis, including users and applications, and the per-user average and total user time spent on each application or website.
Cloud-based management and reporting
Enhanced CPU: Layer 3-7 firewall and traffic shaping
Additional memory for content filtering
48 x 1 GbE Ports with 802.3af/802.3at PoE/PoE+
Enhanced CPU/ memory Meraki cloud management
Built in 4x 10 GbE SFP+ ports for core connectivity / stacking
Enhanced CPU: Layer 3-7 firewall and traffic shaping
3x3 MIMO, dual 802.11 radios with 3 spatial streams for up to 900 Mbps
Meraki, Inc. | 660 Alabama St, San Francisco, CA 94110 | (415) 432-1000 | email@example.com
The Meraki cloud leverages the processing capabilities of a distributed data center architecture to a